Our Vulnerability Disclosure Process

Vulnerability Disclosure

Friends, Romans, Awesome Volunteers, lend me your ears!

We constantly get approached from you beautiful people with regard to putting you directly in touch with the contacts we have at the Health Trusts and Providers.

Whilst we do not wish to offend or dampen your volunteering efforts, we must point out that unfortunately this is not something we are able to do.

This is for several reasons, but the primary one is due to GDPR and responsibility for sharing private information.

What we can do however is share the activity or information you wish to bring to the trusts via our Threat Briefings or indeed if it warrants it, with a direct outreach to specific Trusts/Providers.

We do have direct reporting capabilities for high/critical vulnerabilities, this is handled through the intel services relevant to a specific country.

We are always willing to give volunteers who assist with a shout out or indeed attribution moving forward.

Also, we are not stopping you contacting Trusts/Providers directly, but again ask that if you do, you do it in your own capacity and make it clear to the recipients that you are not acting on our behalf or with our blessing.

Please, please, please do not take this in any other way other than the team adhering to the agreements we currently have in place.

Thank you for your continued help and support during this time.

Our Phishing Awareness Campaign

Cyber Awareness

Over the last week or so, the team at Cygenta and I have been busy pulling together the first campaign for the CV19 volunteers group, which is focused on phishing awareness. This campaign will go to frontline and back office staff in healthcare organisations in the UK, Germany, France, Spain, Italy, Portugal, Russia, Poland, Greece, Sweden, Slovakia, Finland, Norway and the Netherlands. It will also be made available for use in CV19 sister groups in Australia, Brazil, the USA and Dubai.

You can see all of the resources and download them here.

Cyber criminals are seeking to exploit the COVID-19 pandemic, with many social engineering attacks using the crisis as a theme in one way or another. The UK’s National Cyber Security Centre (NCSC) has detected more UK government branded scams relating to COVID-19 than any other subject, as they outline in this pdf joint advisory with the US Department of Homeland Security. According to Google, criminals are sending 18 million COVID-19 phishing emails a day to Gmail users, with some speculating that the pandemic is the biggest phishing topic we have ever seen.

With this in mind, my team and I knew that phishing should be the focus of the first awareness campaign that we would deliver as part of our volunteer work with the CV19 group. The healthcare workers that we know have been recipients of phishing messages both at work and on their personal devices and now, more than ever, we want to help the healthcare sector be as secure as possible. 

Posters for the CV19 phishing awareness campaign

Many phishing attacks take advantage of people’s anxieties, concerns, desire to help and the special offers and support that corporations are extending to healthcare workers. Attackers do this because when a target’s judgement is clouded by emotion, they are more likely to click a link, download an attachment or transfer money without considering the fact that the communication might not be genuine. Therefore, this campaign raises awareness of these scams and the way they target our emotional responses. The aim of this campaign is to encourage people to be vigilant of communications and to take a minute to check it’s right. 

Video for the CV19 phishing awareness campaign

We have intentionally avoided heavy use of fear-based messaging, because such messaging can often be counter-productive. We want to engage and empower people, not add more fear into a climate where there is already enough anxiety. 

For this awareness campaign, we have created three posters, three flyers and a video. These are targeted at frontline and back office healthcare workers in the UK and Europe and are freely available for all to download and use.

You can see all of the resources and download them here.

Supporting the world in cyber space

An unchartered path

We are working away in the background, as many of you can probably imagine, there are a huge rang of logistical challenges in our path. Healthcare (and other sensitive/critical services) is not somewhere where we can just rock up and start jumping on systems and networks, even just organisationally and from a comms point of view the challenges aren’t small. We want to make sure that as a group we can help no matter where we are.

A Force for Good

To this end we are formulating ideas for initiatives whereby we can support our healthcare services from an internet perspective.

Our thinking in this space is along these lines:

  • Phishing Reporting
  • Malware Analysis
  • OSINT/Threat Intelligence
  • Malicious Website Takedowns
  • COVID19 ‘Opportunity Abuse’
  • Social Media Amplification
  • Creation of helpful content around good cyber security guidance
  • Sharing of useful resources and trusted services

We are taking a cautious approach with how we enable this group, we are doing a huge amount of work talking with partners, volunteers and technical solution providers, but we also MUST ensure that the work we do is conducted inline with our mission to HELP (not hinder)! We’ve put together a code of conduct to help support this!

If anyone has any suggestions for other ways we can support, please get in touch with the team on the LinkedIn group.

Building the right foundations

In response to the initial concept we have had a huge level of response from volunteers. We do however realise that in order to be effective we need to have some structure and need to do a level of planning at the backend to ensure the following:

  • Healthcare providers are aware of the intent.
  • Healthcare providers know how to request support
  • That there is the appropriate processes and procedures in place to put HC providers in contact with volunteers

This list isn’t exhaustive, there are lots of things to consider when setting up a volunteer organisation, so please bear with us. We are in talks with both healthcare providers and government agencies to make sure we get this off on the right foot, that we have a suitable structure and that ultimately we can all help support our great healthcare providers in a manner which gives them the help and support they need, in the manner they need it.

Please bear with us as we develop and grow this, we are trying to move at pace but also ensure we focus on our primary objective of delivering actionable support to healthcare, we already are working with NHS trusts.

In the meantime we ask that people join our LinkedIn group whilst we co-ordinate across healthcare providers, volunteers, vendors and various agencies.